Re: Verifying enabled ciphers?
One more question regarding the SSLCipherSuite line. Our security auditor recommended that we change the line SSLCipherSuite HIGH:MEDIUM:!ADH to SSLCipherSuite HIGH:MEDIUM:-ADH:-aNULL What is the difference? openssl ciphers -v 'HIGH:MEDIUM:!ADH' and openssl ciphers -v 'HIGH:MEDIUM:-ADH:-aNULL' both return the same cipher list. Is there a practical difference in the two directives? Thanks, -- Steve [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Fri, Jan 24, 2003 at 09:30:28AM -, [EMAIL PROTECTED] wrote: Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers. OK. I did that, and the only one I support is RC4 with MD5. Strange, I thought I would be able to support more. Actually, to amend my previous post, the ones I expected to see were: EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DHE-DSS-RC4-SHA IDEA-CBC-SHA RC4-SHA RC4-MD5 since I have SSLv2 shut off. Would the above list be further limited by the type (RSA / DSA) key I have? It is RSA. To unpack the terms: allows anonymous authentication - That sounds like allowing anyone to I believe they mean Anonymous Diffie-Helman. My SSLCipherSuite line excludes those, so I think they're wrong here. allows cleartext communication - That's what you get on non-secured sites. If the data doesn't need to be secured, there's no issue. I believe they are referring to the NULL-MD5 cipher. I tested that with s_client, and I can't connect ('handshake failure'), so I don't believe I'm supporting that one either. supports weak encryption - Allows older browsers that have export-crippled security to connect. On the above Netcraft site, you'll see export version. The question for you is whether it is satisfactory to Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according to my SSLCipherSuite line. To follow up to Lutz, I tested all the ciphers with s_client against my server. The ones that I connected with were: DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA IDEA-CBC-SHA RC4-MD5 RC4-SHA This is a shorter list than what I was expecting (at the top of this message). The following did not connect, giving me a 'handshake failure': ADH-DES-CBC3-SHA ADH-DES-CBC-SHA ADH-RC4-MD5 DES-CBC-SHA DHE-DSS-RC4-SHA EDH-DSS-DES-CBC3-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 The following gave me 'illegal parameter': DES-CBC3-MD5 DES-CBC-MD5 IDEA-CBC-MD5 RC2-CBC-MD5 RC4-64-MD5 Thanks, -- Steve [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verifying enabled ciphers?
How can I verify the ciphers enabled by my webserver? The reason I ask is because I have been informed by a third-party security auditor that my server allows anonymous authentication, allows cleartext communication, and supports weak encryption. I am unable to verify any of these claims on my own. Here is my information Apache: 1.3.27 mod_ssl: mod_ssl/2.8.12-1.3.27 openssl: openssl-0.9.6g OS: Solaris 8 Here are my relevant SSL directives from httpd.conf: SSLEngine on SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 According to /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' the supported ciphers for my server are: EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHASSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 But apparently I am also supporting: ADH-DES-CBC-SHA DES-CBC-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 NULL-MD5 NULL-SHA Is the security auditor full of it? How can I verify their results from an external machine (they've scanned the network from an external box)? Thanks, -- Steve Chadsey [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]